Money, money, money
Like it or not, fall is right around the corner, and for many private enterprises, fall means Q4 which means facing the dreaded budgeting season. If budgeting itself weren’t cumbersome enough, cybersecurity budgets—even if they stand alone—are often part of a larger function. That means the “budget” you get isn’t really your own, cementing the fact that infosec is still today perceived as a sidebar of IT, operations, or even finance.
When security is offered the opportunity to submit its own budget, it’s often with the caveat that another department could have the opportunity to consume or override the security team’s submission. A security budget may therefore be a “security budget,” subject to reviews, signoffs, and changes by anyone from the CEO to finance to legal. Infosec as a function continues to float around in the organization; regardless of whether a company has a CISO, that person often reports to some other C-level besides the CEO. This is indicative of a larger problem: security isn’t yet able to communicate its value. Nobody’s going to buy into your “product” if they don’t perceive value, and this is where security falls short in the budget department.
Everyone knows that security breaches are the symptom of a pervasive problem, but in a way, the prevalence of breaches desensitizes executives to the impact. Yet executive teams are aware that cybersecurity is costing more and more each year, with (regularly) no demonstrable return on investment. Because security isn’t well understood, it’s considered by some as a drain on the bottom line—a necessary evil—and the gut reaction by finance and executive teams is to minimize cost as quickly as possible. In fact, security has become a “cost of doing business” for many companies, and the larger the company, the more likely it is to consider security OpEx. This is fine for companies that can stomach thousands or even millions of dollars in losses, but most companies can’t. All companies shouldn’t.
I work all night, I work all day
One of the best ways to ensure that your security budget will get slashed or just remain stagnant is to spread FUD (fear, uncertainty, and doubt). “It can happen to us!” or, “Look what happened at Target,” is not a good way to earn the confidence of peers or executives. Yet when senior security staff walk into a board room, there’s still a lot of FUD flung to see what sticks. The lack of truly actionable, industry- accepted security metrics or standardized risk models is at the root of the problem, but its incumbent upon security leaders to work from established risk-based models recognized in other parts of the business and mold them to work for security. Organizations have been managing risk since time immemorial; the concept is not new, and security can benefit a great deal by modeling its metrics on those understood, used, and welcomed by lines of business. Not enough security executives have adopted proven methodologies, instead choosing to believe that security is its own special snowflake. When security executives don’t feel they have a good story to tell, the easy fallback is sharing data on blocked malware attempts or number of log alerts or dollars potentially lost. These numbers, though, aren’t metrics at all, and they will more often than not fall on deaf ears when it comes to budget allocation. How do those numbers add value to the organization? Lines of business don’t see that they do, and so they think: cost. Cut that cost.
To pay the bills I have to pay
For security metrics to be appreciated, accepted, and affect change (i.e., garner budget, in this case), they must convey relevancy to the business. Each security team needs to develop its own unique metrics story. To make this happen, the security team first needs a deep understanding of what matters to the business, and then communicate how security is going to or is already helping the business achieve its goals. Talk to finance professionals and learn a bit about their models. You don’t have to be a finance expert to understand the basics. If your organization has an established risk management team, talk to those folks. They’re happy to talk about risk modeling all day long, and they can help you start to build security metrics with meaning. Find a knockout HR or marketing executive and ask them for help with crafting an effective message around security’s value. These folks live to communicate, and they might have some tips you can work into your security business strategy.
There never seems to be a single penny left for me
Only the security team knows the ins and outs of security happenings, but other departments have years of successful metrics presentations under their belts, and in turn have received sufficient budgets that support their efforts. Have you ever heard of a sales team whose budget isn’t big enough? Me neither. Security isn’t a zero sum game, and security teams have an opportunity to change the story from one of doom and gloom to one where infosec is a supporting character. It’s time to truly embrace business executives as partners who can help rather than keeping them at arm’s length. You never know, maybe you’ll learn a handy new business tool that will earn you a comfy 2017 budget.